Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe
-
Size
562KB
-
MD5
5ee97ec477be8f8e2278ceb1bea0bf17
-
SHA1
ca4ab290fe3c350aadbad3ff2a2e061490151baf
-
SHA256
d11a8fbe4457648302e5760c0aa9cc2ed324c027b42502fc219f1c88d3409c7b
-
SHA512
91b522bbc0e960aafb228371c18309fb45acd95d00cc657da5106155085620bd4654128e40b7888408fdd32833c64d6778a7c796488c2f51e41b98a279eea418
-
SSDEEP
12288:nobCQ2kk117mUSCAZHBfI7bSNKRxSIEGpzK6FSkFvI1ZslH4yqY:nobCP7mUFAjpKRxN5pzvcalH4yV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1176 wdfmgr.ra- -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Messenger\wdfmgr.ra- 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Messenger\wdfmgr.ra- 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Delete.bat 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wdfmgr.ra- Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wdfmgr.ra- Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wdfmgr.ra- Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wdfmgr.ra- Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wdfmgr.ra- -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2632 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe Token: SeDebugPrivilege 1176 wdfmgr.ra- -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1176 wdfmgr.ra- -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2632 wrote to memory of 4716 2632 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe 88 PID 2632 wrote to memory of 4716 2632 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe 88 PID 2632 wrote to memory of 4716 2632 5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe 88 PID 1176 wrote to memory of 3964 1176 wdfmgr.ra- 89 PID 1176 wrote to memory of 3964 1176 wdfmgr.ra- 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ee97ec477be8f8e2278ceb1bea0bf17_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat2⤵PID:4716
-
-
C:\Program Files (x86)\Messenger\wdfmgr.ra-"C:\Program Files (x86)\Messenger\wdfmgr.ra-"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3964
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562KB
MD55ee97ec477be8f8e2278ceb1bea0bf17
SHA1ca4ab290fe3c350aadbad3ff2a2e061490151baf
SHA256d11a8fbe4457648302e5760c0aa9cc2ed324c027b42502fc219f1c88d3409c7b
SHA51291b522bbc0e960aafb228371c18309fb45acd95d00cc657da5106155085620bd4654128e40b7888408fdd32833c64d6778a7c796488c2f51e41b98a279eea418
-
Filesize
214B
MD55733c4d9ef156a975d5f86941e69e0b3
SHA11a33ffe657240f21082042037ea6b9117f2ae634
SHA25680a09777eb095573498f6a24aa77c3b60f9b1ebbda881c2d7509fb5ac845c108
SHA5122be478140debff70b2a8a5c734e8b4e9de4cb94414616f993071773effcea0826d1ac0de432c203ea0f32f1c9634d7470e79317a7419dca38878c416cabfc923